A list of cluster privileges. These privileges define the
cluster level actions users with this role are able to execute. This field
is optional (missing cluster privileges effectively mean no cluster level
permissions).

An object defining global privileges. A global privilege is a form of
cluster privilege that is request sensitive. A standard cluster privilege
makes authorization decisions based solely on the action being executed.
A global privilege also considers the parameters included in the request.
Support for global privileges is currently limited to the management of
application privileges. This field is optional.

A list of indices permissions entries. This field is optional (missing indices
privileges effectively mean no index level permissions).

A list of application privilege entries. This field is optional.

Role names must be at least 1 and no more than 1024 characters. They can
contain alphanumeric characters (a-z, A-Z, 0-9), spaces,
punctuation, and printable symbols in the Basic Latin (ASCII) block.
Leading or trailing whitespace is not allowed.

A search query that defines the documents the owners of the role have read
access to. A document within the associated indices must match this query
in order for it to be accessible by the owners of the role.

When specifying index names, you can use indices and aliases with their full
names or regular expressions that refer to multiple indices.

Wildcard (default) - simple wildcard matching where * is a placeholder
for zero or more characters, ? is a placeholder for a single character
and \ may be used as an escape character.

Regular Expressions - A more powerful syntax for matching more complex
patterns. This regular expression is based on Lucene’s regexp automaton
syntax. To enable this syntax, it must be wrapped within a pair of
forward slashes (/). Any pattern starting with / and not ending with
/ is considered to be malformed.

The list of the names of the application privileges to grant to this role.

The resources to which those privileges apply. These are handled in the same
way as index name pattern in indices permissions. These resources do not
have any special meaning to the Elasticsearch security features.

A role may refer to application privileges that do not exist - that is, they
have not yet been defined through the add application privileges API (or they
were defined, but have since been deleted). In this case, the privilege has
no effect, and will not grant any actions in the
has privileges API.

There are two available mechanisms to define roles: using the Role Management APIs
or in local files on the Elasticsearch nodes. You can also implement
custom roles providers. If you need to integrate with another system to retrieve
user roles, you can build a custom roles provider plugin. For more information,
see Customizing Roles and Authorization.

The Role Management APIs enable you to add, update, remove and retrieve roles
dynamically. When you use the APIs to manage roles in the native realm, the
roles are stored in an internal Elasticsearch index. For more information and examples,
see role management APIs.

Apart from the Role Management APIs, roles can also be defined in local
roles.yml file located in ES_PATH_CONF. This is a YAML file where each
role definition is keyed by its name.

If the same role name is used in the roles.yml file and through the
Role Management APIs, the role found in the file will be used.

While the Role Management APIs is the preferred mechanism to define roles,
using the roles.yml file becomes useful if you want to define fixed roles that
no one (beside an administrator having physical access to the Elasticsearch nodes)
would be able to change.

The roles.yml file is managed locally by the node and is not globally by the
cluster. This means that with a typical multi-node cluster, the exact same
changes need to be applied on each and every node in the cluster.

A safer approach would be to apply the change on one of the nodes and have the
roles.yml distributed/copied to all other nodes in the cluster (either
manually or using a configuration management system such as Puppet or Chef).

The following snippet shows an example of the roles.yml file configuration: